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Abstract — A conjugate code pair is denned as a pair of linear 
codes such that one contains the dual of the other. The conjugate 
code pair represents the essential structure of the corresponding 
Calderbank-Shor-Steane (CSS) quantum code. It is argued that 
conjugate code pairs are applicable to quantum cryptography in 
order to motivate studies on conjugate code pairs. 

Index Terms — conjugate codes, quotient codes, cryptographic 
codes. 

I. Introduction 

Since the invention of the first algebraic quantum error- 
correcting code (QECC) by Shor [1] in 1995, the theory of 
QECCs has been developed rapidly. The first code was soon 
extended to a class of algebraic QECCs called Calderbank- 
Shor-Steane (CSS) codes [2] and then to a more general class 
of QECCs, which are called symplectic codes or stabilizer 
codes [3], [4], [5]. 

In this paper, we focus on CSS codes. It is well-known 
that this class of symplectic codes are useful for quantum 
key distribution (QKD), at least, in theory. In particular, 
Shor and Preskill [6] argued that the security of the famous 
Bennett-Brassard 1984 (BB84) QKD protocol could be proved 
by evaluating the fidelity of quantum error-correcting codes 
underlying the protocol. 

The term 'conjugate codes' appearing in the title is almost 
a synonym for CSS codes if one forgets about quantum 
mechanical operations for encoding or decoding and pays 
attention only to what can be done in the coding theorists' 
universe of finite fields. This term was coined here so that 
this issue would be more accessible to those unfamiliar with 
quantum information theory. 

Recently, the present author [7] proved the existence of CSS 
codes that outperforms those proved to exist in the litera- 
ture [2], and quantified the security and reliability of CSS- 
code-based QKD schemes rigorously assuming ideal discrete 
quantum systems. Although we have treated QKD in [7], the 
CSS-code-based QKD scheme can be viewed as merely one 
application of conjugate codes (CSS codes). For example, the 
arguments in [7] also imply that conjugate codes can be used 
as cryptographic codes that directly encrypt secret data as 
will be elucidated in the sequel. Here, we remark that QKD 
means techniques for sharing a secret key between remote 



parties, and the shared key itself is not the secret message 
that the sender wishes to send. A typical scenario is that after 
sharing the key, the sender encrypts a secret data using the 
key and sends it to the receiver and the receiver decrypts the 
data using the shared key. The direct encryption is mightier, 
and can be used as QKD if one wishes. Turning back to the 
original motivation of (algebraic) QECCs, these codes deemed 
indispensable for quantum computing since quantum states are 
more vulnerable to errors or quantum noise, most notably to 
decoherence. Among QECCs, CSS codes are said to be suited 
for fault-tolerant quantum computing (e.g., [8] and references 
therein). 

The aim of this work is to enhance motivation to study 
this class of codes. In particular, applications to cryptography, 
which allow direct encryption, are emphasized. We remark 
that a large portion of this paper is nearly a paraphrase of a 
part of [7] though our description is slightly more general in 
that we explicitly treat a general code pair (Ci, C2) satisfying 
a certain condition, which will be given shortly, whereas [7] 
describes the result for the case where C\ = C2. 

This paper is organized as follows. In Section UTI conjugate 
codes are introduced, and in Section [III] CSS quantum codes 
are explained. In Section Hvl it is argued that conjugate code 
pairs are applicable to quantum cryptography. General sym- 
plectic codes, and quotient codes, are explained in Sections [V] 
and IVII respectively. Sections IVIII and IVIIII contain remarks 
and a summary, respectively. 

II. Conjugate Codes 

We write B < C if B is a subgroup of an additive group 
C. We use a finite field ¥ q of q elements, and the dot product 
defined by 

n 

(xi, . . . ,x n ) ■ (yx, ...,y n ) = ^2x { y t (1) 

i=i 

for vectors in F™. We let C 1 - denote {y e F™ V.t e C, x-y = 
0} for a subset C of F™. 

We mean by an [[n, k]] conjugate (complementary) code 
pair or CSS code pair over ¥ q a pair (Ci, C2) consisting of an 
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[n, k{\ linear code C\ and an [n, k 2 ] linear code C2 satisfying 1 

Ci<C x , (2) 
which condition is equivalent to < C 2 , and 

k = k\ + k,2 — n. (3) 

If Ci and C 2 satisfy @, the quotient codes C^jC^ and 
C2/C1 are said to be conjugate. The notion of quotient codes 
was introduced in [9], and will be explained in Section IVTI 

The goal, in a long span, is to find a conjugate code 
pair (Ci,C 2 ) such that both C1/C2 and C2/C1 have good 
performance. If the linear codes C\ and C2 both have good 
performance, so do C1/C2 and C^/C-j 1 . Hence, a conjugate 
code pair (Ci, C2) with good (not necessarily a technical term) 
Ci and C2 is also desirable. 

III. Calderbank-Shor-Steane Codes 

The complex linear space of operators on a Hilbert space 
H is denoted by L(H). A quantum code usually means a 
pair (Q,1Z) consisting of a subspace Q of H®" and a 
trace-preserving completely positive (TPCP) linear map 1Z on 
L(H®"), called a recovery operator. The subspace Q alone 
is also called a code. Symplectic codes have more structure: 
They are simultaneous eigenspaces of commuting operators on 
H® n . Once a set of commuting operators is specified, we have 
a collection of eigenspaces of them. A symplectic code refers 
to either such an eigenspace or a collection of eigenspaces, 
each possibly accompanied by a suitable recovery operator. In 
this section and the next, we assume H is a Hilbert space of 
dimension q, and q is a prime (but see Section fVII-E> . Then, 
F q = Z/qZ. We fix an orthonormal basis (\i))f~ of H. 

In constructing symplectic codes, the following basis of 
L(H®") is used. Let unitary operators X, Z on H be defined 
by 

X|j) = |j-1>, Z\j)=u*\j), je¥ q (4) 

with oj being a primitive q-th root of unity (e.g., e l27r / <? ). For 
u = (ui, . . . , u n ) G F™, let X u and Z u denote X Ul ® ■ • ■ ® 

and Z Ul ®- ■ -(g)Z u ", respectively. The operators 
it, 10 G F™, form a basis of L(H® n ), which we call the Weyl 
(unitary) basis [15]. We have the commutation relation 

(X U Z W )(X U ' Z w ') = u u - w '- w - u '{X u ' Z W '){X U Z W ), (5) 

for u,w,u',w' G F™, which follows from = cjZX. It 
is sometimes useful to rearrange the components of (u, w) 
appearing in the operators X U Z W in the Weyl basis as follows: 
For u = (ui, . . . , u n ) and w = (wi, . . . , w n ) £ F™, we denote 
by [u, w] the rearranged one 

((ux,wi), . . . , (u n ,w n )) G X n , 

where X = ¥ q x¥ q . We occasionally use another symbol N 
for the Weyl basis: 

N[ u>w ] = X U Z W 

'When the number of elements of a code C C is q k , it is called an [n, k] 
code. Readers unfamiliar with coding theory are referred to [9, Section 2] or 
standard textbooks such as [10], [11], [12], [13], [14]. 



and 

Nj = {N x \xeJ}, J C X n . 

An obvious but important consequence of Q is that X U Z W 
and X u Z w commute if and only if u ■ w' — w ■ u' = 0. The 
map 

([it, w], [u , w ]) h- * u ■ w — w ■ u (6) 

is a symplectic bilinear form, which we refer to as standard. 

A CSS code is specified by two classical linear codes (i.e., 
subspaces of F") C\ and C2 with (|2j. 2 Coset structures are 
exploited in construction of CSS codes. We fix some set of 
coset representatives of the factor group F^/Ci, for which 
the letter x is always used to refer to a coset representative in 
this section, that of Ci/C^, for which v is used, and that of 
F™/C2, for which z is used. These may be written as 

x G F^/d, 
z G F£/C 2l 
v e C1/C2 1 

where G is in abuse as usual. Put ki = dimCi, &2 = 
dimC2, and assume g%, ■ . ■ ,g n -k 2 form a basis of C2, and 
hi, ... , hn^kx form a basis of C-j 1 . We assume k\ is larger 
than n — k%. 
The operators 

Z hl Z h — k i , X 91 , . . . , X 9 — k i , (7) 

which generate the so-called stabilizer of the CSS code, 
commute with each other, so that we have simultaneous 
eigenspaces of these operators. Specifically, put 

\0 XZV ) = -L= ]T tS^x + v + w) (8) 

V l°2 I weC ± 

for coset representatives x, z and v. Then, we have 

Z hs \<j) xzv ) =u x ' hi \<t> XZ v), j = l,...,n-h 

and 

X g i \<j) xzv ) = to*- 9 ? \<t> xzx ), j = 1, . . . ,n - k 2 - 

It can be checked that \<j> xtv ), x G F™/d, z G F^/C 2 , « G 
C1/C2, form an orthonormal basis of H® n . In words, we have 
g fel+fe2_n -dimensional subspaces Q xz such that Q) x Q xz = 
l_l®n an( j j s S p annec [ by orthonormal vectors l^^zt,}, 

v G C1/C2 1 , for each pair (a;,*) G (Fj/Ci) x (F"/C 2 ). 
The subspaces Q X2 , (x, z) £ (F^/Ci) x (F£/C 2 ), are the 
simultaneous eigenspaces of the operators in |7), and form a 
CSS code. 

In [7], we have treated the case when C\ = C2 = C with 
a code C. In this case, C is necessarily self-orthogonal 3 by 
(|2j- We will consistently use k to denote the logarithm of the 
dimension of Q xz , viz., 

k = ki + k 2 - n = log g dim c Q xz . (9) 

2 Our code pair (CijC^) often appears as (Ci^C^) in the literature [2], 
[6], [9]. Our choice would be more acceptable to coding theorists because 
good (not necessarily a technical term) codes C\ and C2 result in a good 
CSS code while the performance of seemingly has no direct meaning. 

3 A subspace C with C < C , which is equivalent to Vx, y G C, x y = 0, 
is said to be self-orthogonal (with respect to the dot product). 
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Decoding or recovery operation for a CSS quantum code 
can be done as follows. If we choose a set I\ of coset 
representatives of F™/C, (i — 1,2), we can construct a 
recovery operator 1Z for so that the code (Q XZ ,TZ) is 
-^j(ri,r 2 )" correctm g in the sense of [16], where J(-, •) is 
defined by 

J(T 1 ,T 2 ) = {[x,z] \xeTi andzer 2 }. (10) 
In fact, Q. xz is Nj^i -correcting with 

r; = ri + ci and r' 2 = r 2 + c£. (ii) 

This directly follows from the general theory of symplectic 
codes [4], [5], [17, Proposition A. 2] on noticing that the 
operators in the Weyl basis that commute with all of those 
in are X U Z W , u € Ci,w € C 2 (see also Sections |VJ and 

ED. 

IV. CSS Codes as Cryptographic Codes 

Schumacher [18, Section V-C], using the Holevo bound, 
argued that if a good quantum channel code is used as a 
cryptographic code, the amount of information leakage to the 
possible eavesdropper is small. In this section, we will apply 
Schumacher's argument to CSS codes. 

A. Quantum Codes and Quantum Cryptography 

Suppose we send a fc-digit secret information V + £ 
C1/C2 physically encoded into the state </>xzv) G Qxz, 
where we regard X, Z as random variables, and assume (X, Z) 
are randomly chosen according to some distribution Pxz- 4 
Once the eavesdropper, Eve, has done an eavesdropping, 
namely, a series of measurements, Eve's measurement results 
form another random variable, say, E. We use the standard 
symbol I to denote the mutual information (in information 
theory). 

According to [18, Section V-C], 

I(V; E|X = a:, Z = (12) 

where S xz is the entropy exchange after the system suffers a 
channel noise Af, Eve's attack £ , another channel noise A/*', 
and the recovery operation 1Z = 1Z XZ for Q xz at the receiver's 
end. Let us denote by F xz the fidelity of the code (Q XZ ,1Z) 
employing the entanglement fidelity F c [18]. Specifically, 

F xz = F c (<k q ^,KN'£N) 

where ttq denotes the normalized projection operator onto Q, 
and BA{p) = B(A(p)) for two CP maps A and B, etc. Then, 
by the quantum Fano inequality [18, Section VI], we have 

S xz < h(F xz ) + (1 - F xz )2nR (13) 

where h is the binary entropy function and R = 
rT 1 log g dim Q xz . Combining J12I and Jl 3i and taking the 
averages of the end sides, we obtain 

/(V; E|XZ) 

< Eh{F xz ) + (1 - EF xz )2nR 

< h(EF xz ) + (1 - EF xz )2nR, (14) 

4 The probability distribution of a random variable Y is denoted by Py. 



where E denotes the expectation operator with respect to 
(X, Z). Hence, if 1 — EFxz goes to zero faster than 1/n, then 
/(V; E|XZ) — > as n — > 00. We have seen in [7] that the 
convergence is, in fact, exponential for some good CSS codes, 
viz., 1 -EF XZ < q- nE +< n ) with some E > 0. This, together 
with (I14> . implies 

/(V; E|XZ) < 2q- nE+o{n) [n{E + R) - o(n)], (15) 

where we used the upper bound — 2t\ogt for h(t), < t < 
1/2, which can easily be shown by differentiating tlogt (or 
by Lemma 2.7 of [19]). Thus, we could safely send a secret 
data V + C2 provided we could send the entangled state \4> xzv ) 
in (|8j and the noise level of the quantum channel including 
Eve's action were tolerable by the quantum code. 

In the above scheme, the legitimate sender, Alice, and 
receiver, Bob, should share the random variables XZ, say, 
by sending them through a public channel that is free from 
tampering of malicious parties (but see Section IIV-O . In 
particular, we assume Eve can possibly observe XZ without 
tampering them as in the literature on quantum key distribu- 
tion. 

B. Reduction to Cryptographic Code 

In [7], borrowing the idea of [6], we have reduced the above 
cryptographic scheme to the BB84 protocol. We now explain 
that this reduction argument also shows that conjugate code 
pairs (CSS codes) can be used as cryptographic codes. 

The above scheme is simply summarized as 'choose XZ = 
xz randomly, and encode the secret data into the basis 
{\4> X zv))v of the quantum code Qxz-' We would encounter 
several difficulties and drawbacks in implementing the above 
scheme in this form. Among others, the state \<fr xzv ) defined in 
(|8} is entangled in general, and therefore the above scheme is 
hard to implement with the current technology. To overcome 
this problem, we use Shor and Preskill's observation that the 
probabilistic mixture of \(f> xzv ) with x,v fixed and z chosen 
uniformly randomly over F^/C^ is given as 

777TT ^ / \4>xzv) {<P X zv I 
l°2 I z 

= 17717 \w + v + x)(w + v + x\, (16) 

which can be prepared as the mixture of states \w + v + x) 
with no entanglement. 5 Then, clearly, if Alice sends the secret 
data v encoded into the state in d!6i with x chosen randomly 
according to Fx (the marginal distribution of Pxz), the in- 
equalities deduced in the previous subsection, in particular, 
the bound on the information leakage to Eve in (I15> . remain 
true. Thus, we can send secret data safely by the following 
scheme. 

Conjugate-Code-Based Cryptographic Code. Alice sends 
a fc-digit secret information V + C^; G C1/C2 physically 
encoded into the state in (I16> where X = x is chosen randomly 
according to some distribution P\. 

5 A proof of 1161 is given in Section IVlI-FI 
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In this case, Alice and Bob should share X = x. We remark 
the random variable Z, the states \(f> xzv ) and the recovery 
operator 1Z XZ are fictitious in that they do not appear in the 
above reduced cryptographic code, but they proved useful for 
demonstrating the security. These need only exist in theory, 
and need not be implemented in practice. 

Up to now, we have fixed our attention on proving the 
security. However, we should ensure reliable transmission. 
Namely, the probability of disagreement between Alice's data 
V and Bob's data V, which should be the result of decoding 
the cryptographic code, must be reasonably small. For the 
conjugate-code-based (CSS-code-based) cryptographic code, 
we employ the following decoding principle. The receiver 
performs a decoding algorithm for the coset code x + C\ that 
correct errors in T\, a set of coset representatives of F™/Ci. 
The algorithm is the obvious modification of a decoding 
algorithm for the linear code C\. In the next subsection, we 
will see that a CSS quantum code with high fidelity results 
in a secure and reliable cryptographic code, where a reliable 
cryptographic code means that with small decoding error 
probability. Note that // Px(x) — 1 for some x, we do not 
have to send X (see the next subsection). 

C. Evaluating Fidelity 

Note that the underlying CSS codes (before the reduction) 
has the fidelity Z/ 'x/ which is bounded by 

1-EF XZ <P A (J(T[,T'2) C ), (17) 

where J, r[ and T' 2 are as in dim and dl It . The right-hand side 
of ( 1171 can be written as Pr{£ £ or £ £ T^}, and hence 
we have 1-EF XZ < Pr{£ £ r' x } + Pr{£ £ T' 2 }, where £ and 
£ are random variables such that the distribution of [£, Q is 
given by P4. The equality holds in dl7> if |Ti| = q n ~ kl and 
1 = q n ~ k2 (namely, if they are complete systems of coset 
representatives). This follows from that the code is Nj(pi r^)- 
correcting and that the fidelity of an iVj-correcting symplectic 
code is 1 - P A (J) for a channel A : L(H®") -> L(H® n ), 
where the probability distribution P4 is associated with A in 
the manner described in [7], [17] (see also Section|Vj. In the 
present context, A = Af'SAf. An important fact is that the 
right-hand side of d!7t is smaller than Pr{£ £ T x }, which is 
the decoding error probability when the quotient code CxjC^ 
is used as a conjugate-code-based cryptographic code. Hence, 
by bounding the fidelity of the underlying CSS quantum codes, 
we automatically obtain bounds on the security and reliability 
simultaneously. 

There are subtleties on (I17> . This fidelity bound is true for a 
general TPCP map A : L(H®«) -> L(H®") if P X z is uniform. 
This is because (II 71 is based on Corollary 4 to Theorem 3 in 
[17] or the alternative reasoning in [7, Appendix A] and any 
of these assumes the distribution of the syndrome (X, Z) is 
uniform. A desirable situation in the reduced cryptographic 
code is that the entropy of Px is small. In particular, if 
Px(x) = 1 for some x, or d!7i is true for such a random 
variable X for other reasons, we do not need the public channel 
to send X. This is possible if the map A = N'EN is known to 
the legitimate participants of the protocol as explained below. 



The history of information theory suggests it would be 
reasonable to treat first the tractable case where £ is known 
to the legitimate participants (and A = £® n ) to pursue the 
fundamentals of the issue of transmitting private data (cf. 
[20], [21]). Then, we can interpret the above argument as 
indicating the existence of a good cryptographic code (a kind 
of random coding proof). Namely, we can single out the best 
index x such that Ez-Fsz > Exz-Fxz, where Ey denotes the 
expectation operator with respect to a random variable Y. 
Replacing the original random variable X with that whose 
probability concentrates on x, we have a protocol that does 
not require transmission of information X through an auxiliary 
public channel. 

Still, it would be desirable to remove the assumption that 
the legitimate participants know A. That is, universal codes 
that do not depend on the channel characteristics are desir- 
able. Regarding this issue, we make a small step forward. 
It seems difficult to construct universal cryptographic codes 
without transmission of auxiliary information for the com- 
pletely general class of channels. However, this is possible 
with our conjugate-code-based cryptographic code if the class 
of A is restricted to those such that KzF x z does not depend 
on x. This situation occurs if, e.g., A has the form A : 
P ^ T, u ,w&™ P ( u i w ) XUZW p( XUZw y with a probability 
distribution P on (F™) 2 . This condition is equivalent to that A 
is 'Weyl-covariant' : N X A = AJ\f x , where M x : p h-> N x pN£, 
x e X n (see, e.g., [17, Section 2.5]). More generally, the 
situation occurs if A has the property 

A{X u pX- u ) = X u A{p)X- u 

for any p 6 L(H® n ) and ugP. This condition is equivalent 
to 

(I - u\A(\i - u)(j - u\)\m -u) = (l\A(\i)(j\)W 

for any i, j, l,m,u £ F™, which reads 'the channel looks the 
same if we translate the basis to (\i — u))i' 

V. General Symplectic Codes 

In this and next sections, the order q of the finite field 
F g is not necessarily a prime. In this section, we digress 
to explain how general symplectic codes are defined and 
how CSS codes are obtained from the general definition. The 
2rt-dimensional linear space F 2 ™ over ¥ q equipped with the 
standard symplectic form 

fsp (O^i , zii ■ • ■ , x n , z n ) , (x^ , z x , . . . , x n , z n )) 

= y ' x i z i ~ z i x i 
i 

which has already appeared in (|6j, plays a crucial role in 
algebraic QECCs. We can define the dual L ±sp of L by 
i-Lsp = {y e F 2 " I Va; 6 L,f sp (x,y) = 0}. Let us call 
a subspace L with L ±sp < L an f sp -dual-containing code 
or a dual-containing code (with respect to the symplectic 
form f sp ). Then, we have a quantum code whose performance 
is closely related to that of the classical code L. The code 
is called a symplectic (quantum) code with parity check set 
(yi, ... , y n -k), where y 1} ... , y n _ k 6 F 2 " form a basis of 
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L sp , or a symplectic code with stabilizer N L ± sp . Here, 
N : u ^ N u is Weyl's projective representation [15] of ¥ 2 q n 
(the same as in Section HTH. 

Suppose An fc is the ensemble of [2n, n + k] f sp -dual- 
containing codes over ¥ q . We can regard them [n, (n + 
k)/2] additive codes over X = ¥ q if we pair up 
the coordinates of any word (xi, Z\, . . . , x n , z n ) to have 
((xi, 21), . . . , (x n , z n )) € X n . We can associate with an 
[n, (n+k)/2] f sp -dual-containing code a set of d k -dimensional 
subspaces of H® n , which can be used for quantum error 
correction [3], [4], [5], Namely, we have the next lemma, 
which is a slight reformulation of the original one [3], [4]. 

Lemma 1: Suppose a subspace L € A n> k and a set J of 
representatives of cosets of L in F^" are given. Then, we 
have a q k -dimensional subspace of H®" that works as an Nj- 
correcting code with a suitable recovery operator, where J = 
J + L ±ap = {x + y\ x£j,y£ L ±sp }. 

For a proof, see [4] or, e.g., [22], [17]. Roughly speaking, 
given a set of operators T, a quantum code being ^-correcting 
or a code corrects 'errors' in T means that it recovers any state 
in the code subspace perfectly after the state suffers 'errors' 
belonging to T [16]. The precise definition of .F-correcting is 
not requisite for evaluating the performance of quantum codes. 
Indeed, the next fact is enough to treat symplectic codes [17]: 
If we properly define the performance measure of symplectic 
codes, it equals the probability -Pa(J). The performance 
measure is the entanglement fidelity averaged over the whole 
syndromes, which was already used in Section HV1 

A CSS code is a symplectic code with stabilizer N L ± SV such 
that L ±sp has the form L ±sp = {[u,w] u <E C^,w <E Cj 1 } 
with some C% and C 2 - In this case, L = {[u, w] | u S G\ , w 6 
C 2 }, so that L ±sp < L can be written as C 2 < C\, the 
requirement we have posed. 

VI. Quotient Codes 

Now, we turn to the realm of finite fields or algebraic coding 
theory. In [9], the notion of quotient codes was introduced to 
explain QECCs. The aim of [9] was to exhibit the essence, 
at least, for algebraic coding theorists, of algebraic quantum 
coding. A quotient code of length n over ¥ q is an additive 
quotient group C/B with B < C < F™. In the scenario of 
quotient codes in [9], the sender encodes a message into a 
member c of C/B, chooses a word in c according to some 
probability distribution on c, and then sends it through the 
channel. Clearly, if C is a J-correcting in the ordinary sense, 
C/B is (J + B) -correcting (since adding a word in B to 
a code-coset does not change it). A conjugate-code-based 
cryptographic code effectively means a quotient code in this 
scenario. A conjugate-code-based cryptographic code may be 
said to be an error-correcting code that can protect information 
from eavesdroppers, and hence may be called a cryptographic 
error-correcting code. 

Lemma ^ mav rea d that if i is a dual-containing code 
with respect to f sp , and the quotient code L/L ±sp is J- 
correcting, then the corresponding symplectic quantum code is 
-/Vj-correcting. Turning our attention to the CSS code specified 



as above with C\, C%, the quotient code L/L ±sp has the form 
Ci/C^ © C 2 /C^. Thus, the CSS code Q xz in Section EID is 
Nj(r' ,r')-correcting with T[ = T a + C£ and T' 2 = T 2 + Cf. 
In particular, the CSS code has large fidelity if both Cx/C^ 
and C2/C1 have small decoding error probabilities. This is 
the ground where the goal described in Section |ll] stems from. 
It might be said that the structure of quotient codes were 
inherent in quantum error-correcting codes and CSS-code- 
based cryptographic codes. 

VII. Remarks 

A. Model of Eavesdropping 

A measurement is modeled as a completely positive (CP) 
instrument whose measurement result belongs to a finite or 
countable set (e.g., [23], [24], [25], [26], [27]). The specific 
model employed in this work is the same as in [7] and as 
follows. 

We assume a TPCP map A : L(H® n ) -> L(H® n ) represents 
the whole action of Eve (plus the other environment). This 
means that there exists a decomposition (CP instrument) {-4,:}i 
such that A = J2i ^i, where A% are trace-nonincreasing CP 
maps, and when the initial state of the system of the whole 
sent digits is p, Eve obtains data E = i with probability 
Tt Ai(p) leaving the system in state Ai(p) /Tr Ai(p). Here, 
the decomposition may depend on the other random variables 
available to Eve. 

A minor comment follows. Let the random variable E' 
denotes Eve's measurement result on the whole sent digits. 
Then, the random variable E above mentioned has more 
information than E' since E includes the data relevant to the 
other environment. However, there is no harm in considering 
E as Eve's data for the purpose of proving the security. 

B. Related Information Theoretic Problems 

In [20], [21], information theoretic problems related to ours 
are treated. These and the present work or [7] share the goal of 
secure transmission of private data, but their specific purpose 
in [20], [21] is to establish coding theorems on the best 
asymptotically achievable rates. Our codes are linear codes 
while theirs lack such a helpful structure and are hard to 
conceive aimed at practical use. 

The quantum theoretical models treated in the literature 
above mentioned can be regarded as generalizations of that 
of [28]. What are called conjugate-code-based cryptographic 
codes in the present work essentially fall in the class of coding 
systems in [28]. 

C. Wiesner's Conjugate Coding 

The term 'conjugate coding' appeared in the pioneering 
work on quantum cryptography [29], where the idea of encod- 
ing secret information into quantum states, more specifically, 
into conjugate bases, was proposed. This idea is still alive 
in CSS-code-based cryptographic codes or QKD schemes. 
However, this is a problem of modulation in the language of 
communication engineers. Thus, our meaning of 'conjugate' 
is different from, though related to, that of [29]. 
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D. QKD Protocol 

The BB84 QKD protocol as treated in [30], [6] or its vari- 
ants is, roughly speaking, the CSS-code-based cryptographic 
code plus a scheme for estimating the noise level, where the 
noise includes the effect of eavesdropping. Mainly due to the 
scheme for noise estimation, the protocol needs public commu- 
nication. We have used the dichotomy of cryptographic codes 
and estimation schemes in analysis of the QKD protocol [7], 
and have focused more on cryptographic codes in the present 
work. 

E. Non-prime Alphabet 

Let q — p m with p prime. We have assumed m = 1 
in Sections [H]] and I1VI When m > 1, a conjugate code 
pair (Ci, C2) over ¥ q is still useful for quantum coding and 
cryptography. This is because elements of F g can be expanded 
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into F™ 1 using dual bases in such a way that Tr 



f,/f p xy 



\C 



J2i x iVi' where (xi, . . . , x m ) is the representation of x with 
respect to one basis and (yi, . . . , y m ) is that of y with respect 
to the dual [31]. Applying these representations to (C\,C2), 
we obtain a conjugate code pair over F p . This follows easily 
from [32, Theorem 1], or [33, Theorem 1]. 

F. Proof of Xl6l 

The left-hand side can be written as 

Y, uZ ' iw ~ w,) \ x+v+w ^ x+v+w '\ 

and we see uj z '( w ~ w ) vanishes whenever w ^ u>'. 6 Hence, 
we have dl6l . 

G. Other Comments 

We take this opportunity to make corrections to related 
works of the present author [7], [34], [9]. (a) Ref. [7]: On 
p. 8313, line 5, T n = T n + 1™' should read T n = T n + 
{0",1"}'. (b) Ref. [9]: On p. 453, right column, 5th line 
from the bottom, 'basis of L' should read 'basis of L ±sp '. 
(c) Ref. [9]: On p. 453, right column, 4th line from the 
bottom, 'N L ' should read 'N L x ap '. (d) Ref. [34]: On p. 6, right 
column, line 16, the period should be removed, and 'With' in 
the subsequent line should be decapitalized. 

VIII. Summary and Concluding Remarks 

Conjugate codes were introduced without referring to 
Hilbert spaces so as to be more accessible to algebraic coding 
theorists. The bridge between the coding theorists' universe, 
the vector space over a finite field, and quantum mechanical 
worlds that are represented by Hilbert spaces is Weyl's pro- 
jective representation N of F^™ ~ X n , N : X n 3 x i-> N x . 
Applicability of conjugate codes to cryptography was argued. 
A class of good conjugate code pairs will be given in future 
works [33], [35], [36]. 

6 This follows by an easy direct calculation, but may be seen as a basic 
property of characters (e.g., [12]): the map / : z >— » ui z '( w ~ w > is a character, 
and /(z) ^ 1 for some z if w ^ w'. 
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